Table des matières

Mikrotik notes

Every router is factory pre-configured with IP address 192.168.88.1/24 on ether1 or ether2 port. Default username is admin with empty password. http://wiki.mikrotik.com/wiki/Manual:First_time_startup

RQ : pour les points d'accès WIFI : se connecter au SSID Mikrotik_XXXX

Soit avant de brancher : on charge le backup boot loader, Soit juste après avoir branché : on charge le default loader.

Buttons and Jumpers

Loading the backup RouterBOOT loader

Hold this button before applying power, release after three seconds since powering, to load backup Boot loader. This might be necessary if the device is not operation because of a failed RouterBOOT upgrade. When you have started the device with the backup loader, you can either set RouterOS to force backup loader in the RouterBOARD settings, or have a chance to reinstall the failed RouterBOOT from a fwf file (total 3 seconds).

Resetting the RouterOS configuration

If you keep holding this button for 2 more seconds until LED light starts flashing, release the button to reset RouterOS configuration (total 5 seconds).

Enabling CAPs mode

To connect this device to a wireless network managed by CAPsMAN, keep holding the button for 5 more seconds, LED turns solid, release now to turn on CAPs mode (total 10 seconds).

Starting the RouterBOARD in Netinstall mode

Or Keep holding the button for 5 more seconds until until LED turns off, then release it to make the RouterBOARD look for Netinstall servers. You can also simply keep the button pressed until the device shows up in the Netinstall program on Windows (total 15 seconds).

netinstall

Mettre IP fixe sur carte, donner IP du sous réseau à netinstall. /!\ Ne pas cocher intégrer un script, sinon ce sera la conf par defaut si restauration de conf. /!\ Lors du netinstall, la partition est reformatée, tout ce qui était dans la flash est perdu !

/export
/import

attention : si tous les paquets ne sont pas présents, cela génère des erreurs L'export ne contient pas user/passwd d'admin Attention au nom et nombre d'interfaces. Pour plus de chance de succès, utiliser le scripting : set [ find default-name=ether6 ] name=ether2 Vérifier que les règles de firewall ont été rechargées

/system reboot

Configurations (gérer les)

sauvegarder une configuration

export file=date_equipment

RECHARGER une configuration

Se connecter en Out Of Band Management, reseter la conf :

/certificate> /system reset-configuration no-defaults=yes

Passer la sauvegarde de la conf à la main (gros copier coller)

Régénérer le certificat SSL et le mot de passe d'administration :

# /!\  !!! CHANGE ME !!!!  /!\ :
:global adminUserName "sqdfkljqskjh"
:global adminPassword "lsqdkjfqhflhj"
:global localFqdn "slqdkfjhqlh.liberasys.com";
# /!\  !!! CHANGE ME !!!!  /!\ :

# Compute hostname
:global localHostname;
:set localHostname;
:global localHostname;
:set localHostname [:pick ($localFqdn) 0 [:find ($localFqdn) "."]];

# Change default admin user
/user add name=$"adminUserName" group=full password="$adminPassword" disabled=no
/user remove admin


:put ""
:put "======================================================================"
:put " = HTTPS certificate generation (takes some time...)"
:put "======================================================================"

/certificate
add name="catmpl-$localHostname" common-name="ca-$localHostname" key-usage=key-cert-sign,crl-sign days-valid=10000 key-size=2048
add name="fwtmpl-$localHostname" common-name="$localFqdn"  days-valid=10000 key-size=2048
sign "catmpl-$localHostname" ca-crl-host=127.0.0.1 name="ca-$localHostname"
:delay 1s
sign ca="ca-$localHostname" "fwtmpl-$localHostname" name="$localHostname"
:delay 1s
set "ca-$localHostname" trusted=yes
set "$localHostname" trusted=yes
export-certificate "ca-$localHostname"
/ip service set www-ssl certificate="$localHostname" disabled=no

# Wait for certificates to be created
  {
  :local count 0;
  :while ([/certificate find where name="$localHostname"] = "") do={
    :if ($count = 30) do={
      /quit;
      }
    :delay 1s; :set count ($count +1);
    };
  }

Reseter l'équipement :

/system reboot 

factory conf

/system reset-configuration

blank conf

/system reset-configuration no-defaults=yes

afficher le script de config par defaut

/system default-configuration print

Le /system backup

  1. génère un fichier chiffré en RC4, avec le mot de passe du user en cours.
  2. ne sauvegarde pas les données user/password ni Dude
  3. est considéré comme un binaire
  4. permet un restore sur le même type déquipement seulement

upgrade

menu quick set, upgrade ou (>6.31) :

{
  /system package update
  check-for-updates once
  :delay 1s;
  :if ( [get status] = "New version is available") do={ install }
}

certificats pour openvpn (CA et certificat routeur)

/certificate
add name=catmpl-sd-114049-fw common-name=ca-sd-114049-fw key-usage=key-cert-sign,crl-sign days-valid=10000
add name=fwtmpl-sd-114049-fw common-name=sd-114049-fw days-valid=10000
sign catmpl-sd-114049-fw name=ca-sd-114049-fw
sign ca=ca-sd-114049-fw fwtmpl-sd-114049-fw name=sd-114049-fw
set ca-sd-114049-fw trusted=yes
set sd-114049-fw trusted=yes
export-certificate ca-sd-114049-fw

Pool, profile ppp et config openvpn

/ip pool add name=admin-ovpn-pool ranges=192.168.2.200-192.168.2.250
/ppp profile 
add change-tcp-mss=default comment="" bridge=br-admin \
name="ovpn-admin" only-one=default \
use-compression=default use-encryption=required \
local-address=admin-ovpn-pool only-one=no remote-address=admin-ovpn-pool
/ppp secret 
add caller-id="" comment="" disabled=no limit-bytes-in=0 \
limit-bytes-out=0 name="username" password="password" \
routes="" service=any
/interface ovpn-server server 
set auth=sha1,md5 certificate=sd-114049-fw \
cipher=blowfish128,aes128,aes192,aes256 default-profile=ovpn-admin \
enabled=yes keepalive-timeout=disabled max-mtu=1500 mode=ethernet netmask=24 \
port=1194 require-client-certificate=no

config client

  1. TCP
  2. TAP
  3. pas de compression
  4. IPV4 : adresses automatiques uniquement, renseigner IP du FW comme DNS
  5. routes : cocher “utiliser cette connexion, uniquement pour les ressources de son réseau”. Ajouter les routes utiles à la main.

check install

/system check-installation

debug spanning tree

/interface bridge port monitor [find]

LOOP (externe)

[admin@plmagw03] /interface vlan> /interface print       
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                TYPE       ACTUAL-MTU L2MTU  MAX-L2MTU
 0  RS ether1                              ether            1500  1588       4064
 1   S ether2                              ether            1500  1588       4064
 2   S ether3                              ether            1500  1588       4064
 3   S ether4                              ether            1500  1588       4064
 4   S ether5                              ether            1500  1588       4064
 5   S ether6                              ether            1500  1588       4064
 6   S ether7                              ether            1500  1588       4064
 7   S ether8                              ether            1500  1588       4064
 8   S ether9                              ether            1500  1588       4064
 9   S ether10                             ether            1500  1588       4064
10   S ether11                             ether            1500  1588       4064
11   S ether12                             ether            1500  1588       4064
12   S ether13                             ether            1500  1588       4064
13   S ether14                             ether            1500  1588       4064
14   S ether15                             ether            1500  1588       4064
15   S ether16                             ether            1500  1588       4064
16   S ether17                             ether            1500  1588       4064
17  RS ether18                             ether            1500  1588       4064
18   S ether19                             ether            1500  1588       4064
19   S ether20                             ether            1500  1588       4064
20   S ether21                             ether            1500  1588       4064
21   S ether22                             ether            1500  1588       4064
22   S ether23                             ether            1500  1588       4064
23  RS ether24                             ether            1500  1588       4064
24     sfp1                                ether            1500  1588       4064
25  R  br-spanning-tree                    bridge           1500  1588
26     ;;; 1970.01.02-18:14:44: received loop protect packet originated from 6C:3B:6B:8...
       vlan1                               vlan             1500  1584

LOOP (interne)

[admin@plmagw03] /interface vlan> /interface bridge port monitor [find]
                 interface: ether1          ether2          ether3                   ethe>
                    status: in-bridge       in-bridge       in-bridge                in-b>
               port-number: 1               2               3                        4   >
                      role: designated-port designated-port backup-port              disa>
                 edge-port: no              no              no                       no  >
       edge-port-discovery: yes             yes             yes                      yes >
       point-to-point-port: no              no              no                       no  >
              external-fdb: no              no              no                       no  >
              sending-rstp: yes             yes             yes                      no  >
                  learning: yes             yes             no                       no  >
                forwarding: yes             yes             no                       no  >
            root-path-cost:                                 10                           >
         designated-bridge:                                 0x8000.6C:3B:6B:85:B8:85     >
           designated-cost:                                 0                            >
    designated-port-number:                                 2                            >
-- [Q quit|D dump|C-z pause|right]

NORMAL

[admin@plmagw03] /interface vlan> /interface bridge port monitor [find]
              interface: ether1          ether2          ether3        ether4        ethe>
                 status: in-bridge       in-bridge       in-bridge     in-bridge     in-b>
            port-number: 1               2               3             4             5   >
                   role: designated-port designated-port disabled-port disabled-port disa>
              edge-port: no              yes             no            no            no  >
    edge-port-discovery: yes             yes             yes           yes           yes >
    point-to-point-port: no              no              no            no            no  >
           external-fdb: no              no              no            no            no  >
           sending-rstp: yes             yes             no            no            yes >
               learning: yes             yes             no            no            no  >
             forwarding: yes             yes             no            no            no  >

script de backup

{
  :local curDate [/system clock get date]
  :local curTime [/system clock get time]
  :local systemName [/system identity get name]
  :local curMonth [:pick $curDate 0 3]
   :set curMonth ( [ :find key="$curMonth" in="jan,feb,mar,apr,may,jun,jul,aug,sep,oct,nov,dec" from=-1 ] / 4 + 1)
   if ( $curMonth < 10 ) do={
    :set curMonth ( "0".$curMonth )
} else={
    :set curMonth $curMonth
}
  :local curDay   [:pick $curDate 4 6]
  :local curYear  [:pick $curDate 7 13]
  :local curHour  [:pick $curTime 0 2]
  :local curMin   [:pick $curTime 3 5]

  /
  /export show-sensitive file=( "$systemName"."-"."$curYear"."$curMonth"."$curDay" ."-"."$curHour"."$curMin" )
  /file print
}

Automatic Import

In RouterOS it is possible to automatically execute scripts - your script file has to be named anything.auto.rsc - once this file is uploaded using FTP to the router, it will automatically be executed, just like with the '/import' command. This method only works with FTP. Once the file is uploaded, it is automatically executed. Information about the success of the commands that were executed is written to anything.auto.log

Simple queue : partager un lien internet de manière équitable

/queue type
add kind=pcq name=PCQ_download pcq-classifier=dst-address
add kind=pcq name=PCQ_upload pcq-classifier=src-address

/queue simple
add max-limit=100M/100M name=queue1 queue=PCQ_upload/PCQ_download target=192.168.1.0/24

Editer les scripts

  /system script remove brvlan
  /system script add name=brvlan
  /system script edit brvlan source

paste your script Ctrl+o

  /system script edit brvlan source

review your syntax other solution :

  /system script print where name=brvlan
  1. install “package control”, restart sublime text
  2. Ctrl + P ⇒ install package ⇒ mikrotik scripting